16 posts categorized "browsers"

12/05/2009

Recent Updates

I've been extremely busy with a major project at work so I haven't had a chance to post as much as I would like lately but there were some update announcements for software I use posted over the course of the last few days that I thought I should mention.  

First off, a day after the release of version 1.6.6, Groovy version 1.6.7 was released.  If I remember correctly, there was some issue with version 1.6.6 and a recent release of grails so version 1.6.7 addressed that issue.  You can download version 1.6.7 binaries from the Codehaus download site.   

Over in the JBoss world, the first milestone release of version 6 of the JBoss Application server was released this past week.  I normally don't comment on non-production releases but it has been a while since the JBoss community has announced something related to JBossAS.  This release also occurred the same week that JEE6 Platform has gotten final approval.

Release Candidate 3 of Spring 3.0 was released on December 1st.  

Camino users were treated with a new release as well.  Version 2.0.1, which addresses security-related vulnerabilities, was released this week.  

06/12/2009

The Great SSL Extended Validation Certificate Mystery

You know, these extended validation certificates really bug me--more so than they probably should but they really, really bug me. The premise behind them is easy enough to understand--we'll color your address bar green (or provide some other kind of green-hued, visual cue) to let your users know that you spent tons more money on the same level of encryption. Some sites have reported increased conversion rates which, in the minds of the site owners, more than makes up for the cost, so if you've bought them and you are happy with them, that's super.

I get a lot of hits to this blog where "extended validation" shows up somewhere in the keyword search and I have a question for my readers who also happen to be developers. Are extended validation certificates difficult to work with?  Does the slightest idiosyncrasy in markup on a page wreak havoc with them? Today's example is with Firefox 3.5 Preview, Internet Explorer 7, Safari 4.0, and the mozilla add-ons site.

Open https://addons.mozilla.org/en-US/firefox/ in one of these browsers--let's start with IE7. The site is encrypted using a GlobalSign Extended Validation certificate and before anyone in P.R. freaks, I'm not slamming any company in this post. In IE7, you get the green bar:

Ie7-greenbar  

Displaying the Certificate's Extended Details though, you don't get something that any user on the Internet would probably find extremely helpful:  An answer to the question "Should I trust this site?"  Instead of popping up a nice little "Yes" message when clicking the link, you get a Microsoft Help page listing all the different ways that your address bar could be colored with each one stating ways how you could still not be protected.


Switching to Firefox 3.5 Preview, although this behavior existed in Beta 4 as well, instead of getting a green bar, you get a blue bar:


Is this a bug?  Is there something wrong with the page?  It doesn't appear to be the case that Firefox can't display EV certs, since my health insurer's site displays as expected.  (Update:  It appears to be a bug.  Other GlobalSign EV SSL certificate-using sites don't display right either.  Check out demo site:  https://ev.globalsign.com/ Update 2: This bug exists in Firefox 3.5 RC1 as well. I had opened up a bug request through bugzilla but it was closed as a duplicate).

Finally, I'm liking how Safari handles them--you can't really tell that an EV cert is being used unless you hover the mouse over the green Mozilla Corporation text next to the prominently displayed RSS button:

Ff35preview-greenbar   


It's almost as if the safari developers are saying, "Yeah...we aren't too sure about these things either".

Now, let's switch back to IE7 since they so prominently display the issue and go to https://blogs.verisign.com/.  Again, I'm not picking on Verisign this time--just using their site to display the issue (and yes, I understand that one wouldn't normally try connecting to a blog over an encrypted channel--humor me!). At the start, everything looks fine:

Ie7-vrsnblogs-start


Click on the link for Tim Callan's Web Blog, everything is still fine:

Ie7-vrsnblogs-step1


Go back and then click on the link for the new Web User Experience Blog, you get warned about a mix of SSL and non-SSL items on the page and the green bar vanishes although the site name didn't change:

Ie7-vrsnblogs-step2   


So what's going on here?  Is there some absolute http URL in the HTML somewhere that is throwing off IE?  I don't really know and since this is not an electronic commerce site that I'm buying from (it's a blog site), it's not that big a deal but it does help illustrate my point that it seems like browsers don't really work well with EV certs yet.  Is whatever the cause of the problem on this blog something that is equally easy to perform on a site where visitors might be buying something from?  If so, do we now need to consider writing an Extended Validation Certificate-Using Web Site Markup Validation tool to make sure that the green bar always displays as expected?  I wouldn't want to do that without first knowing all the ways one can break them first--and I don't yet know all the ways one can break them.

UPDATE:  Today's (July 17, 2009) release of Firefox 3.5.1 appears to fix one problem I reported with GlobalSign's Extended Validation certificates so now the location bar displays green when connecting to GlobalSign's EV test site, (https://ev.globalsign.com/) but still doesn't display green on https://addons.mozilla.org/ (on my Mac at least).  This provides a good example of the basic problem I see with providing this kind of visual cue to end-users.  Both sites appear to be signed by the same CA certificate but one displays as expected and the other doesn't.  If I were to guess, I would think that there is something encrypted on the page protected by a different CA signed certificate or there is something on the page that is being delivered over HTTP by way of an absolute url.  I confess, I haven't figured out what it is yet.

12/18/2008

A Question for Visitors to This Site Using Internet Explorer

One look at this site and it is pretty clear that I'm no designer. I ran through some google analytics statistics for this month so far and was surprised to see that Internet Explorer only accounted for about one-third of the visits to this site. As it is a tech blog primarily focused on apache, tomcat, jboss and related items, maybe this isn't so surprising a statistic but today was the first time in the year that this site has been up that I visited it myself using Internet Explorer 7 and I have to say that this site looks terrible in IE.

I have no intentions of bashing IE or Microsoft here and I know I could spend some time trying to make the site work well across all browsers but the site pretty much looks the same as-is in Opera, Safari, Chrome and Firefox--only in IE do things look even stranger. This and the fact that approximately 35% of this site's visitors still use IE6 and IE7 has me wondering: Why DO technical users continue to utilize IE? I can understand if my visitors were typical Internet users but the focus of this blog and the search queries/referrals indicate that people visiting this site are looking for specific technical information, which implies "Developer", "System Administrator", "Webmaster", etc.—pretty much any one aware of the various rendering issues with Internet Explorer 7 and below.

If there is anyone out there visiting the site today and reading this particular post, if you could reply in the comments why you are satisfied with Internet Explorer as your main browser that would be really great.